roo security @preAuthorize @postFilter issues

[muskatus]

Hi,

I'm using spring security 3.0.5 with roo. I've been at this for a while now, can't figure it out... so I hope you guys can help.

In one of my Domain classes I added some find methods to the .java file (in addition to the roo generated ones in the .aj file).

Trying to secure them as follows doesn't seem to do anything if using mode="aspectj" in the global method security namespace element. Everything works, but I don't think method security is ever actually applied. Don't see anything in logs...

Code:

@PreAuthorize("ROLE_USER")
@PostFilter("hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')")

Trying to use aop instead, method security is applied:

Code:

org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PreAuthorize(value=ROLE_USER) found on specific method: public static java.util.List x.y.DomainObject.findX()
2011-02-27 10:32:45,728 ["http-bio-8080"-exec-8] DEBUG org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PostFilter(value=hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')) found on specific method: public static java.util.List x.y.DomainObject.findX()
2011-02-27 10:32:45,737 ["http-bio-8080"-exec-8] DEBUG org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource - Adding security method [CacheKey[x.y.DomainObject; public static java.util.List x.y.DomainObject.findX()]] with attributes [[authorize: 'ROLE_USER', filter: 'null', filterTarget: 'null'], [authorize: 'null', filter: 'hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')']]

but results in:

Code:

java.lang.IllegalStateException: Post-processor tried to replace bean instance of type [x.y.DomainObject] with (proxy) object of type [$Proxy134] - not supported for aspect-configured classes!

So my question is:

Is it even possible to secure methods on the same class in the .aj files as well as the .java files?

If not what would be the best way to achieve what I want?
Add my own methods as aspects and only use aspectj mode?

Thanks!

[mikej]

Did you enable the security aspects in your pom?

http://forum.springsource.org/showpo...40&postcount=3

(Look at step #2 - if you don't do that, Spring Security aspects won't be compiled into your code and the annotations won't do anything.)

[muskatus]

Thanks, I was missing that.

Edit: That did it!!! Thanks a lot!

Could you still tell me how you knew to do exactly that? I read all the docs, reference guides and so on. I didn't find that info anywhere.

[mikej]

I don't remember. It might have been the comments in SEC-1232, or maybe some comments in these here Roo forums. I'd been following this subject for a while....

(It was some people in these forums that teased out changes to Roo and Spring Security which made some of this work. One cool thing is you can now write your own security aspects that inject @PreAuthorize annotations on Roo-managed methods!)

[muskatus]

One cool thing is you can now write your own security aspects that inject @PreAuthorize annotations on Roo-managed methods!

Yeah I've seen that. Looks nice indeed.

[tk1cntt]

@mikej and @muskatus

It worked on tc server developer but it not work with tomcat and jetty. I don't known why?

Could you test with mvn tomcat:run and mvn jetty:run?

[mikej]

Sorry, it wouldn't be easy for me to test with mvn tomcat:run (I have an external directory I need on my classpath and I don't see a way to add it to the Maven Tomcat plugin configuration).

If it helps, I use Tomcat 6 standalone and I start it up via Eclipse.

[muskatus]

@mikej and @muskatus

It worked on tc server developer but it not work with tomcat and jetty. I don't known why?

Could you test with mvn tomcat:run and mvn jetty:run?

I've only used tomcat 7 so far and it works.

[tk1cntt]

Just type

Code:

cd /path/to/roo

mvn jetty:run

and maven will load all plugin depend.

Please help me test it

Thanks so much

[mikej]

It's not a plugin dependency, it's an external folder where I keep properties files I don't want to keep inside the war. The tomcat maven plugin doesn't provide a mechanism for adding external folders to the classpath so these properties files can be picked up.

At any rate, perhaps you could test with Tomcat or Jetty standalone and troubleshoot from there.